0

I am trying to modify .byte 0x0e and .byte 0x04. I tried to use inc byte ptr [rip+offset] to get to the address of .byte 0x0e and .byte 0x04 and change them. I ran gef and got SIGSEGV at those command. The offset should be correct as I ran objdump and it shows the index byte of hex correctly.

I tried to use lea r11, [_start] to get to the address but it did not work when I assemble the code. 

.global _start
_start:
.intel_syntax noprefix
    mov rdx, 0x00000067616c662f
    push rdx
    mov rax, 2
    mov rdi, rsp
    xor rsi,rsi
        inc byte ptr [rip+0xc]
        inc byte ptr [rip+0x6]
        inc byte ptr [rip+0x1]
    .byte 0x0d
    .byte 0x04
  • .byte 0x0d should be modified as .byte 0x0f
  • .byte 0x04 should be modified as .byte 0x05
  • Then a syscall should be initiated with 0f 05
Michael Petch
  • 43,801
  • 8
  • 98
  • 174
Gan Sama
  • 39
  • 1
  • 3
  • 2
    Code (the `.text` section) is in executable read only pages. It can't be written to by default. This answer may be related: https://stackoverflow.com/questions/27581279/make-text-segment-writable-elf . Your exploit though when running in a target program won't have this problem because the stack is writeable but in that case you have to mark the stack as executable (ie: https://stackoverflow.com/a/57846177/3857942 ) – Michael Petch Sep 13 '19 at 16:20

1 Answers1

-1

Wouldn't you want your .byte to be 0x0e, if you want to inc it to 0x0f? The syntax you want for the lea statement is 

lea r11, _start[rip]

You can put your .byte pieces under another section and inc byte ptr section_name[rip] so you don't need to know the actual distance to the memory in question, then jmp to the section to execute the syscall

Bhargav Rao
  • 45,811
  • 27
  • 120
  • 136
Tyler
  • 1
  • 1